ecf5549ec0822a63d17336a884809bbf5c463f38147389c2dc94ef536c63c8da

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
02/02/2024, 22:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecf5549ec0822a63d17336a884809bbf5c463f38147389c2dc94ef536c63c8da.vbs
Size

1KB
MD5

51f19993474bc77d0cb4694bc6c8f643
SHA1

a8a0e732543b01b7f06ea0441449250b28359ddb
SHA256

ecf5549ec0822a63d17336a884809bbf5c463f38147389c2dc94ef536c63c8da
SHA512

aca05634a4fa2ba5930c10a32127bb1b719ed3fa62597a45f53484f2e9cba85c9af3ec7add9f0f1b6b24292703eb1a441c1850c4ed6a60d9fa50ee65948110a9

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\prndrvr.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\de-DE\prndrvr.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\de-DE\pubprn.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\fr-FR\pubprn.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\ja-JP\prnjobs.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prnqctl.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\pubprn.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\prnjobs.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\en-US\prnjobs.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\en-US\prnport.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\es-ES\pubprn.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\ja-JP\prndrvr.vbs	WScript.exe
File created	C:\Windows\SysWOW64\winrm.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prnjobs.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\prndrvr.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\prnport.vbs	WScript.exe
File created	C:\Windows\System32\winrm.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\es-ES\prnmngr.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\es-ES\prnqctl.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\it-IT\prndrvr.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prnjobs.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\prncnfg.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\en-US\prnqctl.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\ja-JP\pubprn.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prnmngr.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prnqctl.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prndrvr.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prnjobs.vbs	WScript.exe
File created	C:\Windows\System32\SyncAppvPublishingServer.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\de-DE\prncnfg.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\de-DE\prnport.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\fr-FR\prncnfg.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\fr-FR\prndrvr.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prncnfg.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\es-ES\prncnfg.vbs	WScript.exe
File created	C:\Windows\SysWOW64\slmgr.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\en-US\prndrvr.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\it-IT\prnqctl.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\pubprn.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\prnqctl.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\de-DE\prnmngr.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\it-IT\prncnfg.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\it-IT\prnjobs.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prncnfg.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prndrvr.vbs	WScript.exe
File created	C:\Windows\System32\slmgr.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\fr-FR\prnqctl.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\prndrvr.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\prnjobs.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\prnmngr.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\prnqctl.vbs	WScript.exe
File created	C:\Windows\System32\gatherNetworkInfo.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\de-DE\prnjobs.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\prnport.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prnport.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\pubprn.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\de-DE\prnqctl.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\fr-FR\prnport.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prnmngr.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\prnmngr.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\prncnfg.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\prnport.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\en-US\prnmngr.vbs	WScript.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPP.VBS	WScript.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.1202_none_4132a4047d5d53b2\SyncAppvPublishingServer.vbs	WScript.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.264_none_aa5417fd2708544d\SyncAppvPublishingServer.vbs	WScript.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ecf5549ec0822a63d17336a884809bbf5c463f38147389c2dc94ef536c63c8da.vbs"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ecf5549ec0822a63d17336a884809bbf5c463f38147389c2dc94ef536c63c8da.vbs

Filesize
3KB

MD5
9e9561f2474fc32273a604405a95457c

SHA1
5e680a00b9b0648d11eb442ac97e0b387b63ce9a

SHA256
53b6e5e42627576f3e4dc7234551571c4fe47b2c6cd6d55a31e1aea435f81665

SHA512
0d33c884568f85a1fae64e26954238e62a3a754f9e8fa22aa1ccafd097a530523cd2c97ebf1f1f52f0a90a6b7305886ecaeff108ab6f3a20971d5bb38410c9ba

Download Submit
C:\pass.on

Filesize
1.2MB

MD5
58dea1999c3d4169864a43425b5aadd0

SHA1
526dfc72216fb1e2dbf2095b37c0c37d8297546f

SHA256
845705b9be16063761a014c1f2f9d4a5846515b44aa0fa2a387330b97db8a237

SHA512
56a19966b8f718889e186ac51a56997f21e01e104c86e959fb254c16e02d3a9a2c203cc6c97e20d040a35fa4e2bd4446ce6b95c0c6ce2e031bce92526f199ed8

Download Submit